[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie authentication vulnerability

WordPress Trac wp-trac at lists.automattic.com
Wed Jan 9 10:53:00 GMT 2008

#5367: Wordpress cookie authentication vulnerability
 Reporter:  sjmurdoch                |        Owner:  westi   
     Type:  defect                   |       Status:  assigned
 Priority:  normal                   |    Milestone:  2.5     
Component:  Security                 |      Version:  2.3.1   
 Severity:  normal                   |   Resolution:          
 Keywords:  security, password, md5  |  
Comment (by sambauers):

 Am I missing something or is the SECRET_KEY now not doing anything at all?

 wp_salt() defines $secret_key from SECRET_KEY on lines 713 - 715 of
 pluggable.php, but then doesn't concatenate it with $salt

 Also, should some value be auto-generated for $secret_key if there is no
 SECRET_KEY defined or do we just rely on the DB based secret in that case?

Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:72>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list